From: Aleksander Kamenik <aleksander@krediidiinfo.ee>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES
Date: Tue, 25 Sep 2007 09:48:54 +0000 [thread overview]
Message-ID: <46F8D986.3020605@krediidiinfo.ee> (raw)
In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com>
Indunil Jayasooriya wrote:
> SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
> BOTH firewall's default route (gateway) is the router given by our ISP.
Ok, so you understand your problem now?
Assuming the packet arrives at 1.2.3.4 from random external ip (eg.
5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again
dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server
sends a reply to the original sender 5.5.5.5. It does that via it's
default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your
ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5.
But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.
And that's exactly what Riccardo said when I read his mail now.
The first problem though is that I'm not sure the dnat form 1.2.3.4 to
2.3.4.5 works, the packet would have to leave via the same interface it
came. Maybe this works, I've never tried that. Make sure packets arrive
on the smtp box with tcpdump.
As for the solution, one way would be to SNAT the connection at FW1, but
this wwould cause the smtp box to see as if all the incoming connections
are from 1.2.3.4 and not their real IP's (5.5.5.5).
Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd
have to mark the packets and then send them to the 2.3.4.5 fw via a
custom route. I'm not sure I could help you with that, never done any
advanced routing.
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2007-09-25 9:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
2007-09-25 7:50 ` Aleksander Kamenik
2007-09-25 8:35 ` Indunil Jayasooriya
2007-09-25 8:44 ` Aleksander Kamenik
2007-09-25 8:54 ` Riccardo (SCASI)
2007-09-25 9:18 ` Indunil Jayasooriya
2007-09-25 9:48 ` Aleksander Kamenik [this message]
2007-09-25 10:12 ` Indunil Jayasooriya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46F8D986.3020605@krediidiinfo.ee \
--to=aleksander@krediidiinfo.ee \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.